[ad_1]
Microsoft corrected the PrintNightmare vulnerability in Windows Print Spooler by requiring users to have administrative privileges when using Point and Print to install printer drivers.
In June, a security researcher accidentally revealed a Windows zero-day print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges.
Microsoft soon released a security update that fixed the remote code execution component.
However, researchers quickly discovered that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed underprivileged users to gain SYSTEM privileges in Windows.
Point and Print is a Windows feature that allows users to connect to any print server, even a remote one, connected to the Internet, and automatically download and install the server’s printer drivers.
Using this feature, the security researcher Benjamin Delpy created a remote print server which installed a printer driver allowing any low privilege user to open a command prompt with SYSTEM privileges as shown in the video below.
With this SYSTEM level command prompt, the user now has full control over the device.
Point and print now requires administrative privileges
As part of the August 2021 Patch Tuesday security updates, Windows now requires a user to have administrative privileges to install a printer driver through Point and Print.
“Our investigation of several vulnerabilities collectively referred to as ‘PrintNightmare’ determined that Point and Print’s default behavior does not provide customers with the level of security required to protect against potential attacks,” Microsoft said in a new advisory.
Today we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. Installing this update with the default settings will mitigate publicly documented vulnerabilities in the Windows Print Spooler service. “
“This change will take effect with the installation of security updates released August 10, 2021 for all versions of Windows, and is documented as CVE-2021-34481.”
Microsoft warns that this change may impact organizations that previously allowed non-advanced users to add or update printer drivers because they will no longer be able to do so.
For organizations that require non-advanced users to install printer drivers, Microsoft has posted an advisory with instructions on how to disable this hotfix.
However, Microsoft strongly recommends that users do not disable this change because it “will expose your environment to publicly known vulnerabilities in the Windows Print Spooler service.”
[ad_2]
Source link